Recent blog entries by kazen

Every once in a while the powers that be throw something at
you to make you realize what a bubble you live in. Today
was my day.

One of my clients is a bank whom I've installed a Linux
based firewall for. Earlier this month they contracted a
"Security Expert" to audit their entire network. They start
off by saying how the firewall is a security risk because
"Linux is a public domain operating system where information
on firewalls that run on Linux is easily found." Let me
just quote here some of their recomendations:

Currently, firewall protection is running on a 386 clone
running Linux Slackware version 7. After discussing the
firewall configuration with the Internet Service Provider,
it was determined that IP Chains are implemented for
protection against outside intruders. IP Chains is an
access-list only based application that does not monitor
stateful sessions. This makes the firewall vulnerable to
attacks where the TCP sequence numbers can be guessed and
potentially compromise [The Bank]'s security.

Recommendation
[name of security company] recommends the purchase of a
certified firewall capable of the following features:
Implement an ICSA certified firewall capable of initiating
and monitoring stateful IP sessions
Implement a firewall capable of randomizing TCP sequence
numbers.

And of course it just so happens that it is not
Slack 7.0 and it is not using IPChains...

Last time I checked things out with nMap the TCP sequence
numbers generated by the Linux TCP/IP stack were "Random
Positive Increments." ...

For most things I do Linux is the best tool for the job, and
my customers respect my ability, so it has been a long time
since I was actually slapped in the real world with "Linux
is less secure because anyone can look at it."

Saw the Salon article reference over at sendmail.net.
Decided I like this a lot better than some other
implementations. I'm curious to see how it will stand up.
Sometimes things can be killed by too much success, I've
already seen mention in the diaries of people I admire that,
its recently beyond the point when you could read all the
diary updates everyday.

Here's hoping that my latest
project will be to a point where I can ask for help before I
find out someone already has a solution...